Android7.1 添加SSH 功能

平台:rk3399

 

有个需求需要设备支持ssh功能,这东西网上也有类似的资料.

具体的需求是客户提供ssh的公钥,公钥加入到固件里面,烧录后开机起来,设备用ssh 就可以直接连上3399.

本来是做openbear的支持,因为有设备在5.1上支持过,编译没问题,但连接的时候总是被拒绝,找了很久原因没解决,很绝望,只好回头来搞openssh的.

好了,进入主题,其实源码里面external/openssh有了,external/zlib已经支持了,openssl的库也支持了,所以只需要调试openssh.

步骤1:device/rockchip/rk3399/rk3399.mk 添加:

diff --git a/device/rockchip/rk3399/rk3399.mk b/device/rockchip/rk3399/rk3399.mk
index 9125ef8..ab35580 100755
--- a/device/rockchip/rk3399/rk3399.mk
+++ b/device/rockchip/rk3399/rk3399.mk
@@ -52,6 +52,18 @@ PRODUCT_PACKAGES += \
        MmsService
+
+# Openssh
+PRODUCT_PACKAGES += \
+       scp \
+       sftp \
+       ssh \
+       sshd \
+       sshd_config \
+       ssh-keygen \
+       start-ssh
 

编译烧录system.img后,板子上已经有ssh相关命令了

步骤2:先创建出几个key:

mkdir  -p /data/ssh
mkdir  -p /data/ssh/empty
chmod  700 /data/ssh
chmod  700 /data/ssh/empty
cd /data/ssh/
ssh-keygen  -t rsa  -f  ssh_host_rsa_key  -N  “”
ssh-keygen  -t dsa  -f  ssh_host_dsa_key  -N  “”
ssh-keygen  -t ecdsa -f ssh_host_ecdsa_key -N ""

步骤3:将我们电脑上的公钥push进去

adb  push  id_rsa.pub /data/ssh/authorized_keys

步骤4:更改sshd服务配置文件/system/etc/ssh/sshd_config

将#Port  22改为Port 22
讲#PermitRootLogin yes改为PermitRootLogin  without-password
将#RSAAuthentication yes改为RSAAuthentication  yes
将#PubkeyAuthentication yes改为PubkeyAuthentication  yes
将PasswordAuthentication no改为#PasswordAuthentication  no
将#PermitEmptyPasswords no改为PermitEmptyPasswords  yes
将#ChallengeResponseAuthenticationyes改为ChallengeResponseAuthentication  yes
将#UsePrivilegeSeparation  yes改为UsePrivilegeSeparation  no

步骤5:启动ssh服务

start-ssh

启动失败,提示有几个文件找不到,原来是配置目录的路径不对,更改源码:

diff --git a/external/openssh/config.h b/external/openssh/config.h
index 053c276..82aeb89 100644
--- a/external/openssh/config.h
+++ b/external/openssh/config.h
@@ -1574,13 +1574,13 @@
 /* #undef _LARGE_FILES */
 
 /* log for bad login attempts */
-#define _PATH_BTMP "/var/log/btmp"
+#define _PATH_BTMP "/data/ssh"
 
 /* Full path of your "passwd" program */
 #define _PATH_PASSWD_PROG "/usr/bin/passwd"
 
 /* Specify location of ssh.pid */
-#define _PATH_SSH_PIDDIR "/var/run"
+#define _PATH_SSH_PIDDIR "/data/ssh"
 
 /* Define if we don't have struct __res_state in resolv.h */
 /* #undef __res_state */
@@ -1595,7 +1595,7 @@
 /* #undef socklen_t */
 
 #ifndef SSHDIR
-#define SSHDIR "/var/run/ssh"
+#define SSHDIR "/data/ssh"
 #endif
 
 #define _PATH_PRIVSEP_CHROOT_DIR SSHDIR "/empty"

步骤6:编译后再push到设备上,然后sshd_config拷贝到/data/ssh/目录

步骤7:再启动,提示avc denied,这是3399上的selinux的安全策略配置为permissive导致的,可用setenforce先关掉验证,我这里是直接将访问域权限加进去:

diff --git a/device/rockchip/common/sepolicy/file_contexts b/device/rockchip/common/sepolicy/file_contexts
index bf59a9e..631c9ed 100755
--- a/device/rockchip/common/sepolicy/file_contexts
+++ b/device/rockchip/common/sepolicy/file_contexts
@@ -168,3 +168,4 @@
 /backup(/.*)?               u:object_r:system_file:s0
 
 /system/bin/daemonsu                   u:object_r:daemonsu_exec:s0
+/system/bin/start-ssh                  u:object_r:start-ssh_exec:s0
diff --git a/device/rockchip/common/sepolicy/start-ssh.te b/device/rockchip/common/sepolicy/start-ssh.te
new file mode 100644
index 0000000..abff468
--- /dev/null
+++ b/device/rockchip/common/sepolicy/start-ssh.te
@@ -0,0 +1,18 @@
+type start-ssh, domain;
+type start-ssh_exec, exec_type, file_type;
+
+init_daemon_domain(start-ssh)
+allow start-ssh start-ssh:tcp_socket { read write getopt getattr setopt accept create bind listen name_bind node_bind };
+allow start-ssh fwmarkd_socket:sock_file { write };
+allow start-ssh netd:unix_stream_socket { connectto };
+allow start-ssh start-ssh:fd { use };
+allow start-ssh port:tcp_socket { name_bind };
+allow start-ssh node:tcp_socket { node_bind };
+allow start-ssh system_file:file { execute_no_trans };
+allow start-ssh start-ssh:capability { setgid net_raw setuid dac_override net_bind_service };
+allow start-ssh start-ssh:udp_socket { create };
+allow start-ssh system_data_file:file { read open getattr create write };
+allow start-ssh system_data_file:dir { read write open getattr add_name };
+allow start-ssh rootfs:lnk_file { getattr };
+allow start-ssh shell_exec:file { getattr execute read open execute_no_trans };
+allow start-ssh devpts:chr_file { open ioctl getattr read write setattr getattr };
diff --git a/system/sepolicy/domain.te b/system/sepolicy/domain.te
index 7e5dffb..14000c4 100644
--- a/system/sepolicy/domain.te
+++ b/system/sepolicy/domain.te
@@ -469,6 +469,7 @@ neverallow {
   -system_server
   -system_app
   -init
+  -start-ssh
   -installd # for relabelfrom and unlink, check for this in explicit neverallow
 } system_data_file:file no_w_file_perms;
 # do not grant anything greater than r_file_perms and relabelfrom unlink

运行起来后,用电脑连接,连接进去后直接就是root用户

ssh [email protected]

运行ok时的/data/ssh目录

rk3399-x24:/ # ls /data/ssh/                                                          
total 27
-rw------- 1 root root  405 2013-01-18 16:50 authorized_keys
drw------- 2 root root 3488 2018-11-28 15:14 empty
-rw------- 1 root root  668 2013-01-18 16:50 ssh_host_dsa_key
-rw------- 1 root root  604 2013-01-18 16:50 ssh_host_dsa_key.pub
-rw------- 1 root root  227 2013-01-18 16:50 ssh_host_ecdsa_key
-rw------- 1 root root  176 2013-01-18 16:50 ssh_host_ecdsa_key.pub
-rw------- 1 root root 1675 2013-01-18 16:50 ssh_host_rsa_key
-rw------- 1 root root  396 2013-01-18 16:50 ssh_host_rsa_key.pub
-rw------- 1 root root    4 2013-01-18 16:50 sshd.pid
-rw------- 1 root root 3341 2013-01-18 16:50 sshd_config
         

剩下的工作就是把启动服务做进固件里面去,然后将/data/ssh/里面的文件全部拷贝出来,编译的时候拷贝到system/etc/ssh/目录,开机再拷贝到data/ssh目录,并设置好相关的权限

diff --git a/device/rockchip/rk3399/rk3399_firefly_box/init.rc b/device/rockchip/rk3399/rk3399_firefly_box/init.rc
index a68ea13..a41ac46 100644
--- a/device/rockchip/rk3399/rk3399_firefly_box/init.rc
+++ b/device/rockchip/rk3399/rk3399_firefly_box/init.rc
@@ -409,8 +409,30 @@ on post-fs-data
     mkdir /data/misc/profman 0770 system shell
+
+       # For ssh 
+       mkdir /data/ssh
+       chmod 777 /data/ssh
+       copy /system/etc/ssh/authorized_keys /data/ssh/authorized_keys
+       copy /system/etc/ssh/ssh_host_dsa_key /data/ssh/ssh_host_dsa_key
+       copy /system/etc/ssh/ssh_host_dsa_key.pub /data/ssh/ssh_host_dsa_key.pub
+       copy /system/etc/ssh/ssh_host_ecdsa_key /data/ssh/ssh_host_ecdsa_key
+       copy /system/etc/ssh/ssh_host_ecdsa_key.pub /data/ssh/ssh_host_ecdsa_key.pub
+       copy /system/etc/ssh/ssh_host_rsa_key /data/ssh/ssh_host_rsa_key
+       copy /system/etc/ssh/ssh_host_rsa_key.pub /data/ssh/ssh_host_rsa_key.pub
+       copy /system/etc/ssh/sshd_config /data/ssh/sshd_config
+       mkdir /data/ssh/empty
+       chmod 600 /data/ssh/empty
+       chmod 600 /data/ssh/authorized_keys
+       chmod 600 /data/ssh/ssh_host_dsa_key
+       chmod 600 /data/ssh/ssh_host_dsa_key.pub
+       chmod 600 /data/ssh/ssh_host_ecdsa_key
+       chmod 600 /data/ssh/ssh_host_ecdsa_key.pub
+       chmod 600 /data/ssh/ssh_host_rsa_key
+       chmod 600 /data/ssh/ssh_host_rsa_key.pub
+       chmod 600 /data/ssh/sshd_config
 
     # For security reasons, /data/local/tmp should always be empty.
     # Do not place files or directories in /data/local/tmp

diff --git a/device/rockchip/rk3399/rk3399.mk b/device/rockchip/rk3399/rk3399.mk
index 9125ef8..ab35580 100755
--- a/device/rockchip/rk3399/rk3399.mk
+++ b/device/rockchip/rk3399/rk3399.mk
@@ -52,6 +52,18 @@ PRODUCT_PACKAGES += \
        MmsService
 
 PRODUCT_COPY_FILES += \
+       $(call find-copy-subdir-files,*,$(LOCAL_PATH)/ssh,system/etc/ssh)

diff --git a/device/rockchip/common/init.rockchip.rc b/device/rockchip/common/init.rockchip.rc
index 00078bb..4ad843e 100755
--- a/device/rockchip/common/init.rockchip.rc
+++ b/device/rockchip/common/init.rockchip.rc
@@ -197,6 +197,11 @@ service getbootmode /system/bin/getbootmode.sh
     disabled
         oneshot
 
+service daemonssh /system/bin/start-ssh
+       class main
+       user  root
+       group root
+


 

你可能感兴趣的:(RK-Android)